Windows Server : Designing a Software Update Infrastructure (part 2)

System Center Essentials 2007

Although limited to managing 500 client computers and 30 servers, SCE 2007 provides more features for the deployment of software updates than WSUS 3.0 SP1 does. The primary difference between the products is that you can also use SCE 2007 to deploy software updates to non-Microsoft products. SCE 2007 provides advanced update distribution control and scheduling flexibility and basic compliance-checking functionality and inventory management. Although SCE 2007 functions as much more than as a platform for deploying software updates, such as providing health reports and software and hardware inventory, this lesson discusses the update functionality in particular. Only SCE 2007 SP1 or later can be installed on a computer running Windows Server 2008.

Unlike WSUS 3.0 SP1, SCE 2007 SP1 is not a free add-on to Windows Server 2008; a nonevaluation version must be purchased from Microsoft when permanently deployed in a production environment. SCE 2008 stores configuration data in a Microsoft SQL Server database. It can either use SQL Server Express, which you can install during the SCE 2007 installation process, or store this data in a separate SQL Server 2005 SP2 or SQL Server 2008 database. The SQL Server 2005 SP2 or SQL Server 2008 database does not need to be hosted on the same server as the other SCE 2007 components, and all SCE 2007, including the database, can be installed on a computer hosting the Active Directory Domain Services (AD DS) role.

SCE offers the following:

• Update management for Microsoft and third-party applications and devices.

• Software deployment of MSI and EXE installed software packages, including third-party applications and Office 2007.

• Hardware and software inventory with attributes collected for items such as available disk space, RAM usage, and installed applications with version numbers.

SCE 2007 interfaces with client agent software that installs during the SCE 2007 discovery process. SCE discovery involves the SCE 2007 server detecting all computers on the network. When you run the discovery process, you select which of the detected computers the SCE 2007 server will manage. The user account you use to perform the SCE discovery process must have administrative rights on all computers that the SCE 2007 server will manage. After you select a computer for SCE 2007 to manage, the agent software is automatically deployed to that computer.

SCE 2007 Software Update Configuration

The SCE 2007 software update process is similar to the WSUS 3.0 SP1 software update process, and SCE 2007 SP1 is built on top of WSUS 3.0 SP1. The SCE 2007 SP1 setup process enables you to migrate WSUS 3.0 SP1 settings so that you retain existing computer groups and software update approvals when moving to the new software update platform. As with WSUS 3.0 SP1, you can use computer groups and approval rules with SCE 2007 to stagger and automate the deployment of updates. The biggest difference between the two platforms is that you can use SCE 2007 to deploy updates and service packs to third-party applications. This functionality is not available in WSUS 3.0 SP1.

As also with WSUS 3.0 SP1, the source of Microsoft-related SCE 2007 updates can be either the local SCE 2007 server or Microsoft Update. SCE 2007 can use a local source to deploy updates only for third-party applications. When deploying updates to third-party applications, you run the New Update Wizard to create an update package. When the update package is created, you select the computer groups to which the update package will be deployed.

SCE 2007 in the Enterprise

When considering SCE 2007 as a software update solution in an enterprise environment, remember the following facts:

• SCE 2007 can provide software updates to a maximum of 30 servers and 500 client computers. Most enterprise environments have more computers than this, which might necessitate multiple SCE 2007 servers or mean that you will need to deploy System Center Configuration Manager 2007 if your organization requires advanced software update functionality.

• You can install only one SCE 2007 server in an Active Directory domain. It is possible to have multiple SCE 2007 servers in an Active Directory forest as long as there is only one SCE 2007 server per domain. If the domains in your organization all have fewer than 500 clients and 30 servers, SCE 2007 is a viable software update platform.

• You cannot use SCE 2007 in a workgroup environment. All SCE 2007 clients must be members of the same Active Directory forest.

• SCE 2007 cannot function as part of a WSUS hierarchy. You can deploy WSUS alongside SCE 2007, but the two software update platforms do not directly interoperate.

• You can use SCE 2007 to provide software updates to computers in different domains from the SCE 2007 server as long as these computers are in the same Active Directory forest, and the 500-client, 30-server limit has not been reached.

• You cannot use a single SCE 2007 server as a software update provider for computers in different Active Directory forests.

SCE 2007 works very well as a software update solution in an organization that has a single site and fewer than 500 client computers and 30 server computers. SCE 2007 is not an optimal solution for an organization that has multiple sites connected by WAN links. This is because pushing software updates across WAN links might flood those links with traffic. As mentioned earlier, you cannot deploy SCE 2007 as part of a hierarchy, and you cannot deploy multiple SCE 2007 servers within the same domain.

System Center Configuration Manager 2007

System Center Configuration Manager (SCCM) 2007 provides a software update solution for enterprise-sized environments that exceed the 500-client, 30-server capacity of SCE 2007. As with SCE 2007, an organization must purchase SCCM 2007 prior to deploying the product permanently as a software update solution. SCCM 2007 does not ship with its own SQL Server database, and you must deploy and configure SQL Server 2005 SP1 or SQL Server 2008 in your environment prior to deploying SCCM 2007. Only SCCM 2007 SP1 or later can be deployed on a computer running Windows Server 2008. Although you can also use SCCM 2007 to deploy operating systems and distribute software, the coverage in this lesson concentrates on the software update deployment and management features of the product.

Like SCE 2007, SCCM 2007 can publish software updates for third-party products. Unlike SCE 2007, SCCM 2007 can also use hierarchies, with primary sites, secondary sites, parent sites, child sites, and central sites. All sites in a hierarchy must be part of the same Active Directory forest. Each site requires one site server running SCCM 2007. Each site type has the following properties:

• Primary site This is the first SCCM 2007 site. It stores the SCCM 2007 data for itself and for all sites below it in the hierarchy in a SQL Server database.

• Secondary site This site has no local SQL Server database. It is attached to the primary site and administered from the primary site. Secondary sites require no additional SCCM 2007 license. Secondary sites cannot have other sites below them in the hierarchy.

• Parent sites This kind of site has other sites attached to it in a hierarchy.

• Child sites A child site is attached to a site above it in the hierarchy. A child site can be either a primary site or a secondary site.

• Central site Central sites have no parent sites. These sites are sometimes called standalone sites.

More Info: More on sites

To understand more about SCCM 2007 sites, consult the following TechNet article: http://technet.microsoft.com/en-us/library/bb632547.aspx.

SCCM 2007 sites host software update points. Software update points distribute software updates to computers in the organization. WSUS 3.0 SP1 must be installed on a computer running Windows Server 2008 before it can be configured as an SCCM 2007 software update point. When configured as a software update point, you perform all management tasks by using the SCCM 2007 console rather than by the original WSUS administration tools.

Practice: Windows Server 2008 Software Update Infrastructure

In this practice, you will install two software update solutions. In the first exercise, you will deploy Windows Server Update Services 3.0 SP1 on server Glasgow. In the second exercise, you will work with an evaluation virtual hard disk (VHD) of SCE 2007.

Before beginning Exercise 1, “Install WSUS 3.0 SP1 on Windows Server 2008,” you must perform the following tasks:

• Download Windows Server Update Services 3.0 SP1 from http://go.microsoft.com/fwlink/?LinkId=71266.

• Download Report Viewer from http://www.microsoft.com/Downloads/details.aspx?familyid=8A166CAC-758D-45C8-B637-DD7726E61367&displaylang=en.

Before beginning Exercise 2, “SCE 2007 VHD,” you must perform the following tasks:

• Download the System Center Essentials 2007 Virtual Hard Disk from http://www.microsoft.com/downloads/details.aspx?FamilyID=27342759-e9d6-4073-918c-e9dff77d0206&DisplayLang=en.

• Configure Virtual PC, Virtual Server, Hyper-V, or an alternative solution to host this virtual machine. Instructions included with the virtual hard disk explain how to install this computer. Configure the virtual machine so that it has access to the Internet.

▸ Exercise 1 Install WSUS 3.0 SP1 on Windows Server 2008

In this practice, you will install WSUS 3.0 SP1 on Windows Server 2008. You will configure this installation so that updates are stored on the Microsoft Update servers. This practice should be considered optional because it requires Internet access. You can configure server Glasgow to access the Internet by adding a second network card or by adding a virtual network card and configuring Virtual Machine network settings appropriately. This practice also assumes that you have not installed IIS on server Glasgow. If IIS has been installed, use the Add Role Services functionality to add the additional required components listed in step 4 instead of performing step 3.

1.	Log on to server Glasgow using the Kim_Akers user account.
2.	Install Report Viewer on server Glasgow.
3.	Use the Server Manager console to add the Web Server (IIS) role. Add any required features. Ensure that the ASP.NET, Windows Authentication, and IIS 6 Metabase Compatibility options are selected.
4.	Verify that the features listed in the Confirm Installation Selections dialog box match those shown in Figure 4, and then click Install. When the installation process completes, click Close. Figure 4. Preparing IIS for the installation of WSUS
5.	Double-click the installation file you downloaded to start the WSUS 3.0 SP1 setup process. Install WSUS 3.0 SP1 with the following configurations: Complete a full server installation, including Administration Console. Do not store updates locally. Install the Windows Internal Database locally, as shown in Figure 5. Figure 5. Configuring WSUS database options Use the existing IIS Default Web Site. The Windows Server Update Services Configuration Wizard automatically starts when the installation of WSUS 3.0 SP1 is complete.
6.	If your Windows Server 2008 computer does not have a connection to the Internet, click Cancel at this point.
7.	On the Choose Upstream Server page, shown in Figure 6, select Synchronize From Microsoft Update. Figure 6. Configuring synchronization options
8.	Unless your organization uses a proxy server that requires authentication, you do not need to specify a proxy server.
9.	On the Connect To Upstream Server page, click Start Connecting to contact Microsoft Update to determine the type of updates available, the products that can be updated, and the available languages.
10.	On the Choose Products page shown in Figure 7, select the All Products check box. On the Choose Classifications page, select the All Classifications check box. Figure 7. Choose products that WSUS can update
11.	On the Set Sync Schedule page, select Synchronize Manually.
12.	Ensure that Launch The Windows Server Update Services Administration Console and Begin Initial Synchronization check boxes are cleared, and then finish the installation.
13.	When the installation completes, you should open the Update Services console and investigate creating computer groups, creating auto-approval rules and the reporting functionality of WSUS 3.0 SP1. This investigation will help you develop plans to deploy WSUS within your environment.

▸ Exercise 2 SCE 2007 VHD

In this exercise, you will configure the SCE VHD virtual machine and explore the update features available in SCE 2007. To complete the practice, perform the following steps:

1.	Log on to the System Center Essentials 2007 VHD virtual machine, using the username Administrator and the password Evaluation1.
2.	Use DCPROMO to promote the server to a domain controller (DC) of the new domain, fabrikam.internal, in a new forest, using the default settings.
3.	Configure DNS locally on the server, and the Windows Installation Files can be located in the C:\WindowsInstallationFiles\i386 folder. Use Evaluation1 as the restore mode password.
4.	When you have finished configuring the computer as a DC, double-click the Essentials Setup icon, located on the desktop.
5.	Start the installation by clicking Full Setup on the System Center Essentials 2007 Setup page.
6.	Complete the installation process, accepting the default settings except on the Installation Location page of the setup wizard, on which you should select the Get Update Files From The Microsoft Update Website option, as shown in Figure 8. Use the Administrator account as the computer management account. Finish the installation by choosing not to check for updates at this time. Figure 8. Location of update files
7.	Use the System Center Essentials Console to create computer groups named Testers, Accountants, and Research. Add the computer account for SCEVHDSERVER.fabrikam. internal to each of these groups.
8.	From the Updates menu, select Configure Microsoft Update settings. Navigate through the wizard, synchronizing with Microsoft Update and configuring SCE 2007 to provide updates to Exchange Server, Microsoft Office, SQL Server, and Windows. Accept all other default settings.